Unified criterion for security of secret sharing in terms of violation of Bell inequalities 



m 

O 

o 

(N 

> 
O 

(N 

> 

O 
m 
o 

:^ 

Oh; 



Aditi Sen(De), Ujjwal Sen, and Marek Zukowski 
Instytut Fizyki Teoretycznej i Astrofizyki, Uniwersytet Gdanski, PL-80-952 Gdansk, Poland 

In secret sharing protocols, a secret is to be distributed among several partners so that leaving out 
any number of them, the rest do not have the complete information. Strong multiqubit correlations 
in the state by which secret sharing is carried out, had been proposed as a criterion for security of 
such protocols against individual attacks by an eavesdropper. However we show that states with 
weak multiqubit correlations can also be used for secure secret sharing. That our state has weak 
multiqubit correlations, is shown from the perspective of violation of local realism, and also by 
showing that its higher order correlations are described by lower ones. We then present a unified 
criterion for security of secret sharing in terms of violation of local realism, which works when the 
secret sharing state is the Greenberger-Horne-Zeilinger state (with strong multiqubit correlations), 
as well as states of a different class (with weak multiqubit correlations). 



I. INTRODUCTION 

Violation of Bell inequalities seem to be a signature of 
what has been called "useful entanglement" ■ It was 
shown in Ref. that violation of local realism can be 
seen as a criterion for security of secret sharing protocols 
P, It was argued that a strong violation of multi- 
qubit Bell inequalities ||5||, iQ] by the state that acts as the 
vehicle in secret sharing can be a criterion for security 
of the secret sharing. Violation of local realism was also 
shown to be connected with distillability ^] and super- 
classical communication complexity 0- 

In a secret sharing protocol, the holder of a secret (call 
her Alice) wants to distribute her secret among A^— 1 sep- 
arated parties (call them Bobs, Bi, B2, ■ ■ ■ , Bn-i) such 
that leaving out any (non-zero) number of the Bobs, the 
other Bobs would have no information about Alice's se- 
cret. Such protocols were shown to be possible in Refs. 
0, H , if Alice and the A^ — 1 Bobs share a large number 
of certain entangled states @, [9] . 

Such a protocol could suffer from the onslaught of a 
possible eavesdropper Evan. Evan could spy (quantum 
mechanically) on the channels that carry the states from 
Alice to the Bobs and obtain information about Alice's 
secret. In Ref. 0, it was shown that if the secret shar- 
ing is carried out by using Greenberger-Horne-Zeilinger 
(GHZ) states, the secret of Alice is secure from eaves- 
dropping as long as the state between Alice and Evan 
(after eavesdropping) does not violate any Bell inequality 
while the state between Alice and the Bobs (after eaves- 
dropping) violates the A^-qubit Bell inequalities 
very strongly. 

In this paper, we show that security of secret sharing 
in the multi-qubit scenario can be possible even when the 
state between Alice and the Bobs of the secret sharing 
protocol contains weak multi-qubit correlations. We ar- 
gue that the criterion for security of secret sharing is of 
a different type. 

(i) The state shared between Alice and the Bobs (af- 
ter eavesdropping), if suitably projected into cer- 
tain states by all but one Bobs, the remaining Bob 
would share a state with Alice, which violates a 



two-qubit Bell inequality. 

(ii) At the same time, the state between Alice and Evan 
must satisfy such inequalities. 

We show that both for the GHZ state, which contains 
strong multi-qubit correlations (in the sense of strong vi- 
olation of multi-qubit Bell inequalities), as well as for 
another state (we call it the G state), which in several 
ways (as indicated below) contains weak multi-qubit cor- 
relations, the security of secret sharing is exactly in the 
same range in which both the above conditions, (i) and 
(ii), are met. This criterion can therefore be seen as a 
unified criterion for security of secret sharing. We sub- 
sequently show, that the A^-qubit G state cannot have 
strong A^-qubit correlations. This is in the sense that 

(a) the A^-qubit correlation functions of the G-state 
only weakly violate the multi-qubit Bell inequali- 
ties as compared to the GHZ state. 

(b) The A^-qubit correlations of this state are deter- 
mined by lower-order correlations of the state in 
contrast to the GHZ state 10] . 



II. NEW STATES FOR SECRET SHARING 



(1) 



The state 

\Gn) = ^{Wn) + \Wn)) 
can be used for secret sharing, where 

with |0) and |1) being the eigenvectors of tiz, and e.g., 
^ llO**^"^) denotes the unnormalised superposition of 
all A^ arrays of (A^ — 1) |0)s and a single |1). Note that 



IG4) 



V2 



«i4 



\-xr') 



2 



where 

|±x) = i=(|0)±|l)). 

However, for more qubits, this family is different than 
the GHZ family, as we would show later. 

The property of the G state that would help us to use 
it for secret sharing is the following: 

whenever N = 2M. The first equation follows from the 
fact that 



in their ax basis measurements, the state of remaining 
two qubits is such that the single-qubit density matrix 
at Alice is mixed. Similarly, if all the parties happen to 
choose ay as their observable, then the result of Alice is 
related to those of the Bobs by 



■SA = (-1) 



M+1 



SBi 



■SB2 



In this way, a sequence of random bits is created at Alice 
and if there is no eavesdropping, the Bobs (if all of them 
cooperate) would be able to reproduce the same random 
sequence. 



\Wn) = \Wn). 



Wm) = \Wn) 



To derive the second equation in eq. (0), note that 



Gn) = 



1 . 



^/2 



{-\WN) + {-lf-'\WN)) 



The state on the right-hand-side is orthogonal to |Gjv) 
for odd N . But for even N{= 2M), the right-hand-side 
is-*2*^|Gjv). 

Suppose that Alice (A) has some information which 
she wishes to secretly distribute among 2M — 1 Bobs 
{Bi,B2, . . . , B2M-i)- But she wishes to distribute it in 
such a way that all the Bobs must cooperate to obtain 
the message. Leaving out any nonzero number of Bobs, 
the remaining Bobs would not be able to gather the com- 
plete information about Alice's bit. This is equivalent 
to the situation when Alice is able to secretly distribute 
a random sequence of binary digits (bits) to the Bobs 
with the same property. Let us now show that this is 
possible by using the G2A/-state, shared between Alice 
and the 2M — 1 Bobs. Suppose that Alice and the Bobs 
share a large number of the G'2A/-state and they randomly 
choose between the ax and ay observables to make a mea- 
surement on their respective parts of the shared states 
. Subsequently they publicly share information about 
the bases in which they have made their measurements. 
(They obviously do not share information about the re- 
sults of the measurements.) They keep only those results 
in which all of them measured in the same basis, that is 
when either all of them measured in the cra;-basis or all 
of them measured in the CTj,-basis. In any run of such a 
Bell type experiment, if all the parties happen to choose 
ax as their observable, then the 2M results at Alice and 
the 2M — 1 Bobs are related by (see eq.(|21l) 

TATB^ ■■■rB^M-i = 1- 

If all the Bobs cooperate, then they know that 

TA = . ..rB^M-i- 

If any nonzero number of Bobs refuse to cooperate or are 
left out, the remaining Bobs cannot gather the complete 
information about r^- This is because irrespective of 
what results that any 2M — 2 Bobs happen to obtain 



III. SECURITY 

We now consider the security of the distributed se- 
quence of random bits against a possible eavesdropper, 
Evan. We work with the assumption that Evan would 
only be able to make coherent but individual attacks. 
Thus although Evan may attack coherently on all the 
qubits sent to the Bobs (from Alice) in a single run of 
the experiment, he is not able to perform joint opera- 
tions on qubits from different runs. As has been stressed 
in a recent review 0, at present, even individual attacks 
by an eavesdropper would be very challenging in reality. 

The states that are shared by the Bobs after the mea- 
surements by Alice are as follows: 



\±x) 
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(3) 



the left hand column in eq.Q being the outcome ob- 
tained at Alice, while the right hand side gives the cor- 
responding state that is shared by the Bobs. Here |±a;) 
and |±?/) are the eigenvectors of ax and ctj,, and 
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(X) |lO'*^*'-'^^) -f |l«'2M-l^-j 
(X) |01®^*'-^~^) -I- |0'^2M-l^-j 



(4) 



Note that the protocol for secret sharing is exactly 
equivalent to the BB84 key distribution protocol [l3l| . 
when we consider the problem of eavesdropping and the 
eavesdropping is coherent. Consequently the optimal co- 
herent individual attack that Evan {E) can perform, is 
given by the unitary transformation |l4| 



Vbe\^\^) = 
Ube\^)\0) = 



I0|0)_ 
cos0|e)|O) 



^01011) 



(5) 



where B denotes B1B2 ■ ■ ■B2M-1 and (f> e [0,7r/2]. Af- 
ter Evan implements his attack, i.e., after he applies the 
unitary operation Use given by eq.©, the state Gat of 
Alice and the Bobs coupled with the probe |0) of Evan 
transforms as 



\Gn)ab\0)i 



lAB 

- COS 6 \ V 



J) ABE = 7l(|0)^|0s|0)i, 

A\i)B\^)E + sin0|l)^|O 



bWe) 



(6) 
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The condition that is needed for security is [IE 



Therefore 



I{A : B) > I{A : E), 



(7) 



where again B denotes the aggregate of aU the Bobs. This 
security imphes that AUce and the Bobs can run a one- 
way protocol (privacy ampHfication) if and only if the 
condition ((TJ is satisfied. Here the mutual information 
I{X : Y) is defined as 



where 



IiX:Y) = H{X)-H{X\Y), 



is the Shannon entropy of a probability distribution {pi}. 

We would now calculate the mutual information (after 
Evan's attack), when Alice and the Bobs measure either 
all of them in the ax basis or all of them in the ay basis. 
This happens with equal probability. Therefore in our 



IiA:B) = l--{H,iA\B)+HyiA\B)). 

(As Alice chooses her measurements randomly, H{A) = 
1.) The state shared between Alice and the 2M — 1 Bobs 
(after Evan's attack) is (see eq.©) 



1 + cos^ 



PAB 

where 



a [a 



|l>IO(l|(ei, (8) 



|a) 



|0)|0+cos^|l)|0 

y/l + COS^ (j) 



Let us first evaluate 



Hx{A\B) = px{B - l)Hx{A\B = 1) 

+ pAB = -l)Hx{A\B = -1) 



(9) 



where for example, Px{B = 1) is the probability of the 
event "B = 1" , when all the Bobs measure in the ax basis. 

Tracing out A from pab, the state pB shared between 
the 2M - 1 Bobs is (see eq.®) 



1 + sin-^ 



10 (CI 



I?) (?l 



Consequently, 



and from eq.®. 



PxiB = ±l) 



Px{A = 1, B = ±1) = px{A = -1, B = Tl) 



1 ± cos ( 



Hx{A\B = l)= Hi- 



cos I 



where H{p) = — plogjp — (1 — p) log2(l — p) is the bi- 
nary entropy function. By symmetry, the expression for 
Hx{A\B = —1) is exactly the same. So from eq.ljHJ, one 
obtains 



1 



cos ( 



Hx{A\B)=H{ 



By symmetry, the expression for Hy{A\B) is exactly the 
same as that for Hx{A\B). So finally. 



I{A:B) = \- H{ 



1 



C0S( 



(10) 



I {A : E) is obtained by replacing </> by 7r/2 — in I {A : 
B). With these expressions, one can see that the security 
condition {T)) holds if and only \i (f) < 7r/4. 

Consider now the state pab (given by eq.ljSJ), obtained 
by tracing out the eavesdropper E, after the eavesdrop- 
ping. If any 2M — 2 of the 2M — 1 Bobs perform mea- 
surements in the az basis and obtains either jg)**^*^^^ or 
|^^»2M-2 [l^[l3), then the remaining Bob (say Bk) 
shares with Alice the (two-qubit) state 



PABk 



sm 



111) (111 



where 



|01) -f COS0I1O) 



•\/l + COS^ (j) 

The two-qubit state pab^ violates local realism if and 
only if ^ < 7r/4 Note that there are no sequen- 

tial measurements involved. The parties follow the ordi- 
nary Bell-type experiment and classical communication 
is needed only to share this data. We consider viola- 
tion of local realism exhibited by a subset of this data. 
Measurements at the parties do not depend on results of 
measurements at the other parties. 

On the other hand, the state obtained after we trace 
out the Bobs (from the state ^be^ given by eq. ©), 



1 



sm 



cos 



PAE 



where 



l7) = 



l7> (7l 



|00) -|-sin(/)|ll) 



|10) (101 



The state pae violates local realism if and only if > 7r/4 

m 

Therefore for e [0,7r/4), the state shared (after 
eavesdropping by Evan) between Alice and the Bobs vio- 
late local realism in the sense described above, while the 
Alice-Evan state does not violate local realism. And the 
secret sharing is secure in exactly the same range. 
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IV. COMPARISON WITH THE GHZ STATE 



Violation of local realism 



A related feature was obtained in , where secret shar- 
ing was investigated by using the GHZ state [T^ 



IGHZat) = 



V2 



(|0^^) + |l'^^)). 



However in this case, it was shown that the secret sharing 
protocol is secure as long as after eavesdropping by Evan, 
strong N = 2M qubits correlations are still present in 
the state shared by Alice and Bobs. If secret sharing is 
carried out by a shared GHZ state, as has been considered 
in 0, the shared state (after optimal eavesdropping by 
Evan) between Alice, the 2M — 1 Bobs and Evan is just 
the same as displayed on the right hand side of eq.® 
with the replacement 



10 



Q«i2Af-l^ 



Consider the state between Alice and any one of the Bobs, 
after measurements in the cr^-basis at the other Bobs, and 
suppose that either \+x) clicks at all those 2M — 2 Bobs, 
or |— a;) clicks at all of them. As can be checked, this 
state again violates local realism if and only if </> < 7r/4. 
The state shared by Alice and Evan does not violate local 
realism in that range. This is the range in which secret 
sharing is secure. 

In , it was numerically shown that the complete set 
of Bell inequalities in multi-qubit systems 0,0 is violated 
by the state shared between Alice and the 2M — 1 Bobs 
(after eavesdropping by Evan) by a magnitude of more 
than 2^"^ if and only if G [0, 7r/4). In this range, the 
Alice and Evan state does not violate any Bell inequal- 
ity. It was therefore proposed that this form of strong 
violation of local realism for the 2M-qubit correlations is 
a criterion for security in secret sharing. 

However we have shown that the range in which se- 
curity of secret sharing by a GHZ state is obtained, is 
also concurrent with violation of local realism in another 
form; that of satisfying items (i) and (ii) in the Introduc- 
tion. This feature is also shared by our G states. The 
proposed criterion is therefore a unified criterion for se- 
curity of secret sharing. 



Consider the white noise admixed iV-qubit state Gat, 

p<=« ^PN \Gn) {Gn\ + (1 -pAr)pL.e (H) 

where p^oise — maximally mixed state of N 

qubits. If TV — 2 parties make measurements in the CTz 
basis, and if either |0) clicks at all the parties, or |1) clicks 
at all the parties, the collapsed state is given respectively 
by 

P^^®(®il3|o).. (o|) 

or 

P^^®(®il3li>..(i|)> 

where p*^^ is the Werner state 

P^^ =P{N^2) IG2) (G2I + (1 -P(Ar^2))p: 



noise 



with 



and 



1 



|G2) = ^(|01) + |10)). 



The state p^^ has no local realistic description for 
P(N^2) > 1/^2- This would imply that the state p''"" 
cannot have a local realistic model for 

N 



N + 1)2^- 



A GHZ state of qubits maximally violates the multi- 
qubit Bell inequalities 0, 0| and the amount of violation 
is -\/2^+i. Consequently the noisy GHZ state 

pGHZ. ^ g^P|e^^^^ + (1 - gjv)pLse (12) 

violates local realism for 



JV-1 



But for N > 13, 



STRENGTH OF MULTIQUBIT 
CORRELATIONS 



The GHZ states have strong multiqubit correlations. 
In contrast, the family |G2m), which can also be consid- 
ered as the vehicle of the secret sharing, is unlikely to 
produce a strong violation of local realism for 2M-qubit 
correlations. On the contrary, we will show that it has a 
large amount of its entanglement concentrated in corre- 
lations of lower number of parties. In the following, we 
drop the restriction that the number of parties is even. 



crit crit 
PGn ^ IGHZn- 

Thus for TV > 13, the nonclassicality of the correlations in 
Gn is more robust to "white noise" admixture than the 
one for the corresponding GHZ state. A similar method 
was used in Ref. |0| (cf. ^3) to show that the non- 
classical behavior of the W states is stronger than that 
of the GHZ state for sufficiently large number of parties. 
Note here that the robustness to white noise admixture 
of the nonclassicality of correlations in the Gat states ob- 
tained by the above method is weaker than the one that 
is obtained for the corresponding W state. 



5 



Therefore strong nonclassical properties of the Gn 
states emerge after local projection measurements in 
some parties. This strong nonclassicality for lower num- 
ber of parties seems to imply that the iV-party correla- 
tions are weak. One can see this more directly in the 
following considerations for the 6-qubit G state, the low- 
est number of qubits in which secret sharing is possible 
with a G state and which is not simply a GHZ state. 
Consider the correlation tensor T'^" of the state Gg, the 
elements of which are given by 



tr(P| 



Ge)' 



r(l) 



r(6) 



Explicit calculation reveals the following structure of the 
tensor: 



1 — 1 



iXi) (g 

E(<^tiyl) ® 



,lXi) (g) (( 



^^=31/3/ 



'3=3^ 



(x, y) sector. However we show below that the stronger 
7V-qubit correlations of the GHZ state as compared to the 
G state persists even when any local coordinate systems 
are considered. 

For any set of local coordinate systems, 



E 



-^xi...xe — 



E 



rp2 



23, 



xi,...,xe=x,y 



xi.. ..^XQ—x.y,z 



for the state Gg. So the noisy Gg-state has for sure a 
local realistic description for 6-qubit correlations, for 



P6 < 1/V23 « 0.208514. 

Therefore the 6-qubit GHZ state is definitely more robust 
to white noise admixture than the state Gg when 6-qubit 
correlations are considered. 



B. Higher order correlations are determined by 
lower order ones for the \Gn) state 



where for example J2 ^1 ^ ^2 23 zl (g Z5 (g zq contains 
all the 15 combinations of two xs and four zs. 

A sufficient condition for an A'^-qubit state p to have 
a local realistic model for A^-qubit correlations (of two- 
settings Bell experiments) is that 



E 



Xi . . .X — 



for any set of local coordinate systems [6j. Here x and 
y denote any two arbitrary orthogonal directions, which 
can be separately defined for each observer. 

For the noisy Gg state p*^" given by the ea. ljllll . 



E 



rj-iZ 



for the fixed local coordinate system in which the secret 
sharing is considered. Thus an explicit local realistic de- 
scription for the (x, y) correlations for the state p'^'^ exists 
for 



P6 < \/3/16 « 0.433012 

whereas (for the correlations in the same sector) the noisy 
6-qubit GHZ state fea. l|12|) ') has no local realistic descrip- 
tion for 



qe > 1/V32 w 0.176777. 

The latter follows from the fact that the 6-qubit GHZ 
state violates the multiqubit Bell inequalities maximally, 
and the amount of violation is \/2^. This shows that 
the A^-qubit correlations of the GHZ state are stronger 
in comparison to that of the G-state. Since the scheme 
of the secret sharing protocol is for and ay measure- 
ments in a fixed local coordinate system, it is probably 
enough to check the sufficiency for local realism in the 



We would now give yet another argument to show that 
the A^-qubit state \Gn) has weaker 7V-qubit correlations 
than the A^-qubit GHZ state. Note that for the GHZ 
state, information regarding the reduced density matrices 
of lower number of parties is insufficient to describe the 
whole A^-party state. Indeed the state 

has the same single-party, 2-party, . . ., {N — l)-party 
reduced density matrices as the state IGHZa?). Conse- 
quently, high order correlations of the GHZ states are 
not determined by lower order correlations. However, as 
shown in this feature is rare. For almost all states, 
actually the opposite is true. 

On the lines of loj, we will now show that for the 
states \Gn), for A^ > 5, there is no other state (pure 
or mixed) whose (A^ — l)-party reduced density matrices 
match those of the Gat state. 

For convenience of notation, let us call the parties shar- 
ing the A^-qubit Gat state as 1, 2, . . . , TV. A state whose 
(A^ — l)-party reduced density matrices agree with those 
of Gat, may be a mixed state. We therefore allow for an 
environment E. Any such state, whose (A^ — l)-party re- 
duced density matrix of the parties 1,2,..., (A^ — 1) agree 
with the state Gat, can be written as 

lx> = -;^(l«o)i2...(jv-i) \Eo)ne + ki>i2...(iv-i) l^i>A'£;)' 



(13) 



where 



\vo) - ^(E|io«^"^) + |i^^-^)) 

\vi) = ^(E|oi^^-') + |o«^-i)) ^^^> 

and |£^o) and \Ei) are orthonormal. Note that \vo) and 
\vi) are just the states |^) and |0 extended also to the 
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case of even N (see eq. Q). Since \Eo) and \Ei) are 
orthonormal, they can be written as 



\Eo) 
\Ei) 



|0>Ar |eoo>ij ■ 

|0)Ar |eio)s ■ 



|l>Ar |eoi>£; 



1 



AT 



\eii) 



(15) 



Let us now try to match the (A^— l)-party reduced density 
matrix of the parties 2, 3, . . . , iV of the state Gn with that 
of Ix)- Consequently, it should be possible to write \x) 



as 



Ix) = -^{\vo)23...N 



Fo),e + \^i)23...n\Fi)ie)^ (16) 



where the states \vo) and \vi) are given by eq. ((TH) . and 
the orthonormal environment states |Fo) and are 
given by 



l^o) = |0)il/oo)s + |l)il/oi)s 
\Fi) = |0)il/io)s + |l)il/ii)£- 



(17) 



The states on the right hand sides of the equations 
(|13|l and (|16|l are actually the same states. Comparing 
the different terms, it is not hard to see that for N > 5, 



\eoo) 
|eoi) 



|eii) 
|eio) 



0. 



(18) 



Therefore the state |x), for > 5, is a product state 
of \Gn) with a state of the environment, if \x) has its 
{N — l)-party reduced density matrices equal to the cor- 
responding ones for \Gn)- Thus for TV > 5, there are no 
other iV-qubit states whose {N — l)-qubit reduced den- 
sity matrices are equal to those of \Gn)- Therefore, con- 
trary to the GHZ states, given the (TV — l)-qubit reduced 
density matrices, the state \Gn) is already completely 
specified. This again underlines the fact that the state 
\Gn) does not possess strong iV-qubit correlations. This 
also explicitly shows that the states \Gn), for N > 5, are 
not from the GHZ family. 



VI. SUMMARY 



We have given a criterion on security of secret sharing 
protocols. The criterion is based on violation in a specific 
way, of Bell inequalities (as given by items (i) and (ii) in 
the Introduction). A criterion for security of secret shar- 
ing based on violation of Bell inequalities was provided 
in 1] . Let us mention here that we do not simply extend 
this previously known criterion of Ref. (1||. The crite- 
rion mentioned in Ref. jj (call it CI), is not satisfied 
by the G-states considered in our paper. And yet secret 
sharing is possible by using the G-states. We have put 
forward an independent criterion. Our criterion (call it 
C2), although again based on violation of Bell inequali- 
ties, is drastically different from the criterion mentioned 
in Ref. . And we find that both the GHZ state (which 
was shown in Ref. to satisfy CI and useful for secret 
sharing) and the G-state (which is shown in this paper 
to violate CI and still useful for secret sharing) are sat- 
isfying our criterion C2. 

We believe that these considerations would be useful 
in the general discussions as well as as for applications of 
quantum cryptography ■ 
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